LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-18-2015, 12:30 AM   #1
rmpms
LQ Newbie
 
Registered: Mar 2015
Posts: 12

Rep: Reputation: Disabled
Fail2ban with htaccess protected area Ubuntuserver 14.04 failing 2 ban


Code:
root@----:/etc/fail2ban/action.d# fail2ban-client status
 Status
 |- Number of jail:    2
 `- Jail list:        apache, ssh
*****************

Code:
root@----:/etc/fail2ban/action.d# fail2ban-client status apache
 Status for the jail: apache
 |- filter
 |  |- File list:    /var/log/apache2/error.log 
 |  |- Currently failed:    0
 |  `- Total failed:    0
 `- action
    |- Currently banned:    0
    |  `- IP list:    
    `- Total banned:    0
***************************




Here are the errors in /var/log/apache2/error.log:

Code:
 [Fri Jul 17 00:16:23.974669  2015] [mpm_prefork:notice] [pid 13614] AH00163: Apache/2.4.7 (Ubuntu)  PHP/5.5.9-1ubuntu4.11 configured -- resuming normal operations
 [Fri Jul 17 00:16:23.974765 2015] [core:notice] [pid 13614] AH00094: Command line: '/usr/sbin/apache2'
 [Fri Jul 17 00:26:16.124260 2015] [mpm_prefork:notice] [pid 13614] AH00169: caught SIGTERM, shutting down
 [Fri Jul 17 00:26:17.219580 2015] [mpm_prefork:notice] [pid 13718]  AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 configured --  resuming normal operations
 [Fri Jul 17 00:26:17.219725 2015] [core:notice] [pid 13718] AH00094: Command line: '/usr/sbin/apache2'
 [Fri Jul 17 00:27:30.695823 2015] [auth_basic:error] [pid 13725] [client xx.x.xx.xx:45367] AH01617: user jason: authentication failure for  "/protect/": Password Mismatch
 [Fri Jul 17 00:27:34.436083 2015] [auth_basic:error] [pid 13725] [client xx.x.xx.xx:45367] AH01617: user jason: authentication failure for  "/protect/": Password Mismatch
 [Fri Jul 17 00:27:36.958196 2015] [auth_basic:error] [pid 13725] [client xx.x.xx.xx:45367] AH01617: user jason: authentication failure for  "/protect/": Password Mismatch
 [Fri Jul 17 00:27:40.002723 2015] [auth_basic:error] [pid 13725] [client xx.x.xx.xx:45367] AH01617: user jason: authentication failure for  "/protect/": Password Mismatch
(Just for clarification, this is not the whole file. There are hundreds of these attempts. I tried from multiple machines to create the fail. My home and office IP, my cell phone IP on 4G, etc...)


So the log files show a Password Mismatch, but not banning a single thing.

apache-auth has it built in to look for "Password Mismatch" :
This is the apache-auth.conf file:

Code:
 # Fail2Ban apache-auth filter
 #
 
 [INCLUDES]
 
 # Read common prefixes. If any customizations available -- read them from
 # apache-common.local
 before = apache-common.conf
 
 [Definition]
 
 
 failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$
             ^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
             ^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
             ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$
             ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
             ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
             ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provide
 r): \S*\s*$
             ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
             ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$
             ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+\S*\s*$
             ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
             ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
             ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$
****************************************
The apache is set to true in the jail.local:
Code:

#
# HTTP servers
#

[apache]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 1

Code:
root@----:/etc/fail2ban/filter.d# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-apache  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-apache (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere


apache-auth.conf from filter.d

Code:
# Fail2Ban apache-auth filter
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# apache-common.local
before = apache-common.conf

[Definition]


failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$
            ^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$
            ^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$
            ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$
            ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$
            ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$
            ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$
            ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$
            ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$
            ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+\S*\s*$
            ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$
            ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$
            ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$
failregex = [[]client <HOST>[]] (Digest: )?user .* (authentication failure|not found|Password Mismatch)

ignoreregex =

I'm at a loss.. Does anyone see something that I am missing?
 
Old 07-18-2015, 08:23 AM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
I adjusted your conf file and got "Success, the total number of match is 87"

It had some 'extra spaces' at beginning of each line,
Code:
 # Fail2Ban apache-auth filter
 #
 
 [INCLUDES]
and I don't know what the hell happened to
Code:
^(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provide
 r): \S*\s*$
but it is one line.

I also added the missing
Code:
ignoreregex =
in your .conf

stick this in your /etc/fail2ban/filter.d/apache-auth.conf and
then test it by using
Code:
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
and the expected output is
"Success, the total number of match is "

Let us know!
Thank you,

And Welcome to LQ!
 
2 members found this post helpful.
Old 07-20-2015, 05:49 PM   #3
rmpms
LQ Newbie
 
Registered: Mar 2015
Posts: 12

Original Poster
Rep: Reputation: Disabled
Well, It sees something, but it bans nothing..
Code:
Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [11] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
`-

Lines: 11 lines, 0 ignored, 0 matched, 11 missed
|- Missed line(s):
|  [Sun Jul 19 07:55:10.585885 2015] [mpm_prefork:notice] [pid 1551] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 configured -- resuming normal operations
|  [Sun Jul 19 07:55:10.585944 2015] [core:notice] [pid 1551] AH00094: Command line: '/usr/sbin/apache2'
|  [Sun Jul 19 08:11:26.692875 2015] [core:error] [pid 10925] [client 188.40.102.71:37311] AH00135: Invalid method in request  /?feed=atom HTTP/1.1
|  [Sun Jul 19 08:11:26.954841 2015] [core:error] [pid 10924] [client 188.40.102.71:37325] AH00135: Invalid method in request  /?feed=atom HTTP/1.1
|  [Sun Jul 19 13:31:36.541612 2015] [:error] [pid 10925] [client 185.25.151.159:38502] script '/var/www/html/site1/testproxy.php' not found or unable to stat
|  [Sun Jul 19 19:29:48.237767 2015] [:error] [pid 11095] [client 212.82.126.32:42293] script '/var/www/html/site1/wp-login.php' not found or unable to stat, referer: http://www.gamers-life.com
|  [Mon Jul 20 18:45:38.597811 2015] [auth_basic:error] [pid 10924] [client x:59502] AH01617: user jason: authentication failure for "/protect/": Password Mismatch
|  [Mon Jul 20 18:45:41.924693 2015] [auth_basic:error] [pid 10924] [client x:59502] AH01617: user jason: authentication failure for "/protect/": Password Mismatch
|  [Mon Jul 20 18:45:45.148625 2015] [auth_basic:error] [pid 10924] [client x:59502] AH01617: user jason: authentication failure for "/protect/": Password Mismatch
|  [Mon Jul 20 18:45:48.326422 2015] [auth_basic:error] [pid 10924] [client x:59502] AH01617: user jason: authentication failure for "/protect/": Password Mismatch
|  [Mon Jul 20 18:45:50.427541 2015] [auth_basic:error] [pid 10924] [client x:59502] AH01618: user  not found: /protect/
 
Old 07-20-2015, 05:54 PM   #4
rmpms
LQ Newbie
 
Registered: Mar 2015
Posts: 12

Original Poster
Rep: Reputation: Disabled
So gamers-life.com/protect is the .htaccess protected area.

What is keeping the ban from occurring?

And thank you for your help!
 
Old 07-20-2015, 08:35 PM   #5
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
Hi, had this issue awhile back. This answer solved it

http://stackoverflow.com/questions/2...iled-passwords
 
2 members found this post helpful.
Old 07-20-2015, 09:16 PM   #6
rmpms
LQ Newbie
 
Registered: Mar 2015
Posts: 12

Original Poster
Rep: Reputation: Disabled
Bam! That did it.

Correcting my /etc/fail2ban/filter.d/apache-auth.conf per Habitual's direction

and

replacing:
Code:
_apache_error_client = \[[^]]*\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
in /etc/fail2ban/filter.d/apache-common.conf per Sefyir's direction.

Got it working.

Thank you two!
 
Old 07-21-2015, 06:07 AM   #7
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
It's a "we" thing, not a "me" thing.
Glad it worked out!

Go TeamLQ!
 
1 members found this post helpful.
Old 07-22-2015, 06:21 PM   #8
rmpms
LQ Newbie
 
Registered: Mar 2015
Posts: 12

Original Poster
Rep: Reputation: Disabled
Thanks again!

I'll start another thread, for the next thing pertaining to this that has me stumped, but I wanted to thank yous again.
 
  


Reply

Tags
apache, fail2ban, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban: How to ban IP connect port 22 sieuvocmaytinh Linux - Server 2 08-31-2012 06:57 AM
How to config fail2ban send email to gmail when it ban IP sieuvocmaytinh Linux - Server 3 08-15-2012 10:14 PM
[SOLVED] fail2ban does not ban, maybe my regex is wrong? JeanC Linux - Server 2 03-17-2011 10:01 AM
[SOLVED] Fail2Ban failed to ban Attack on Asterisk, Why ? MET Linux - Security 10 05-27-2010 04:08 AM
Host Protected Area detected. EddyRoth Linux - Hardware 1 07-19-2005 09:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration